I have a question about this -- maybe I'm ignorant. But using https without self-signed keys actually allows the government to peer into your communications, doesn't it? We are worried about third parties stealing your data between you and your bank for example. A bank might be a bad example as they probably already have access to their databases for compliance reasons. Can't the US government ask for the keys of these US based certificate authorities?
My point being is that https is probably equivalent to plain text when it comes to government surveillance.
Pretty much every OS/browser comes with root CAs belonging to the U.S. government (on OS X I see "DoD Root CA 2" and "DoD CLASS 3 Root CA", see also http://support.apple.com/kb/HT4415). As I understand it, if they wanted to, they could MITM any HTTPS connection by forging a certificate using their root CAs.
This is why people were upset when a root CA for some Chinese government agency was added to certain browsers. We don't trust the Chinese government, but we do trust the US government, I guess.
Of course, if they regularly forged certificates someone would notice. Right?
Which begs the question, how would we notice? If you diligently check certificates for sites you visit you might happen to notice facebook.com's CA suddenly changes from Verisign to the U.S. DoD.
Is there a better way? How can we automatically check that the certificates we get are legitimate?
At a minimum it would be nice if there was a warning when a cert doesn't match a previously seen one (similar to SSH)
I feel like a "web of trust" needs to be layered on top of the certificate authorities to really solve this problem. If 10 of my friends have seen the same certificate for a given website I'm inclined to believe it's legitimate. I'm also likely to trust certain organizations (EFF, etc)
Of course it's also a user interface issue. The average user wouldn't understand a single sentence I wrote above.
No, it's not equivalent to plain text. If they had access to certificate authority keys (or the ability to compel CAs to issue certificates on demand), they would still need to pull off an active man-in-the-middle attack to be able to decrypt communications. Practically speaking, it seems like this would be harder to accomplish on an Internet scale than simply intercepting communications. So using HTTPS as much as possible probably helps, though you're correct that if you want to be completely certain your communications are secure you should not trust the certificate authorities.
It's not quite that bad. Even with a compromised certificate authority, it's not an invisible attack to do a man in the middle and inject their own certificate. Someone knowledgable could notice this discrepancy and raise a stink.
Furthermore, Chrome (and soon Firefox) ships some known certificates for privacy important widely used sites (e.g. the major webmail services, torproject, etc) which prevents even this attack. This defense has already caught Iran using a compromised CA.
(I'm not a cryptographer though, so please correct me if I'm wrong.)
I think it's only a handful of certificats that are pinned (they call it "HSTS preloading" here: http://www.imperialviolet.org/2011/05/04/pinning.html). While this does include gmail and some other Google properties, it doesn't seem to include any other major webmail services.
Ah dang, for some reason I thought that hotmail and y!mail were in there too. It looks like there's a commitment (which CAs you'll allow to sign your cert) that's needed from the site owner for HSTS to work. I hope they get in there one way or another soon.
Having the Certificate Authority private keys would allow an attacker to sign certificates allowing the impersonation of any entity... but it does not make other sessions, boostrapped from other legitimate certificates, transparent to passive eavesdropping.
So no, government pressure on CAs wouldn't make all https like plaintext, but it does make active impersonation possible. Some initiatives like the 'SSL Observatory' or the EFF's 'Sovereign Keys' proposal could make it possible for clients to notice when a fishy new certificate is introduced for a previously-known identity -- much like the 'key has changed' warnings you may have seen when SSHing to a host whose keys have changed since your last session.
The problem with encryption is that the data still have to be in the clear at the endpoints to be useful. That's where it'll be nabbed, by surreptitious keyloggers, screen scrapers, filesystem scanners, etc. Decrypting data in transit is still a very difficult if not impossible proposition as far as I know.
That's why we should ENCRYPT EVERYTHING possible. Use HTTPS as much as you can.